Skip to content

Commit

Permalink
CCM-5680 setup terraform components
Browse files Browse the repository at this point in the history
  • Loading branch information
aidenvaines-bjss committed Jul 16, 2024
1 parent 702a62a commit 42e6378
Show file tree
Hide file tree
Showing 49 changed files with 1,170 additions and 0 deletions.
Empty file removed infrastructure/images/.gitkeep
Empty file.
Empty file removed infrastructure/modules/.gitkeep
Empty file.
60 changes: 60 additions & 0 deletions infrastructure/terraform/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
### Terraform ###

# Transient backends
components/**/backend_tfscaffold.tf

# Compiled files
**/*.tfstate
**/*.tfplan
**/*.tfstate.backup
**/.terraform
**/.terraform.lock.hcl
**/.terraform/*
**/build/*
**/work/*
**/*tfstate.lock.info

# Scaffold Plugin Cache
plugin-cache/*

# PyCache
**/__pycache__

### OSX ###
**/.DS_Store
**/.AppleDouble
**/.LSOverride

# Icon must end with two \r
Icon

# Thumbnails
._*

# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns

# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk

*.swp
.nyc_output

# VS Code
.vscode

# IntelliJ Idea
.idea
**/*.iml

# js
node_modules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
latest:^1.8
44 changes: 44 additions & 0 deletions infrastructure/terraform/components/acct/locals_tfscaffold.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
locals {
terraform_state_bucket = format(
"%s-tfscaffold-%s-%s",
var.project,
var.aws_account_id,
var.region,
)

csi = replace(
format(
"%s-%s-%s",
var.project,
var.environment,
var.component,
),
"_",
"",
)

# CSI for use in resources with a global namespace, i.e. S3 Buckets
csi_global = replace(
format(
"%s-%s-%s-%s-%s",
var.project,
var.aws_account_id,
var.region,
var.environment,
var.component,
),
"_",
"",
)

default_tags = merge(
var.default_tags,
{
Project = var.project
Environment = var.environment
Component = var.component
Group = var.group
Name = local.csi
},
)
}
11 changes: 11 additions & 0 deletions infrastructure/terraform/components/acct/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
output "dns_zone" {
value = {
id = aws_route53_zone.main.id
name = aws_route53_zone.main.name
nameservers = aws_route53_zone.main.name_servers
}
}

output "github_pat_ssm_param_name" {
value = aws_ssm_parameter.github_pat.name
}
24 changes: 24 additions & 0 deletions infrastructure/terraform/components/acct/provider_aws.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
provider "aws" {
region = var.region

allowed_account_ids = [
var.aws_account_id,
]

default_tags {
tags = local.default_tags
}
}

provider "aws" {
alias = "us-east-1"
region = "us-east-1"

default_tags {
tags = local.default_tags
}

allowed_account_ids = [
var.aws_account_id,
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
resource "aws_route53_delegation_set" "main" {
reference_name = "iam.${var.root_domain_name}"
}
5 changes: 5 additions & 0 deletions infrastructure/terraform/components/acct/route53_zone.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "aws_route53_zone" "main" {
name = "iam.${var.root_domain_name}"

delegation_set_id = aws_route53_delegation_set.main.id
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
resource "aws_ssm_parameter" "github_pat" {
name = "/${local.csi}/github_pat"
description = "A GitHub PAT token for settings up AWS Amplify. This is only used at initial setup of the service"
type = "SecureString"
value = try(var.initial_cli_secrets_provision_override.github_pat, "UNSET")

lifecycle {
ignore_changes = [value]
}
}

# This can be set at provision time like:
# PARAM_OBJECT=$(jq -n \
# --arg github_pat "github_pat_123abc" \
# '{github_pat:$github_pat}' | jq -R)
# .bin/terraform <args> .. -a apply -- -var="initial_cli_secrets_provision_override=${PARAM_OBJECT}"
66 changes: 66 additions & 0 deletions infrastructure/terraform/components/acct/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
##
# Basic Required Variables for tfscaffold Components
##

variable "project" {
type = string
description = "The name of the tfscaffold project"
}

variable "environment" {
type = string
description = "The name of the tfscaffold environment"
}

variable "aws_account_id" {
type = string
description = "The AWS Account ID (numeric)"
}

variable "region" {
type = string
description = "The AWS Region"
}

variable "group" {
type = string
description = "The group variables are being inherited from (often synonmous with account short-name)"
}

##
# tfscaffold variables specific to this component
##

# This is the only primary variable to have its value defined as
# a default within its declaration in this file, because the variables
# purpose is as an identifier unique to this component, rather
# then to the environment from where all other variables come.
variable "component" {
type = string
description = "The variable encapsulating the name of this component"
default = "acct"
}

variable "default_tags" {
type = map(string)
description = "A map of default tags to apply to all taggable resources within the component"
default = {}
}

##
# Variables specific to the "dnsroot"component
##

variable "root_domain_name" {
type = string
description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk"
default = "nonprod.nhsnotify.national.nhs.uk"
}

variable "initial_cli_secrets_provision_override" {
type = map(string)
description = "A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules."
default = {}
# Usage like:
# ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
}
10 changes: 10 additions & 0 deletions infrastructure/terraform/components/acct/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.50"
}
}

required_version = ">= 1.8.1, < 1.9.0"
}
1 change: 1 addition & 0 deletions infrastructure/terraform/components/iam/.terraform-version
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
latest:^1.8
14 changes: 14 additions & 0 deletions infrastructure/terraform/components/iam/acm_certificate.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# resource "aws_acm_certificate" "main" {
# # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-issuer
# domain_name = "${local.csi}.${aws_route53_zone.main.name}"
# validation_method = "DNS"

# lifecycle {
# create_before_destroy = true
# }
# }

# resource "aws_acm_certificate_validation" "main" {
# certificate_arn = aws_acm_certificate.main.arn
# validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
# }
24 changes: 24 additions & 0 deletions infrastructure/terraform/components/iam/amplify_app.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
resource "aws_amplify_app" "main" {
name = local.csi
repository = "https://github.com/NHSDigital/nhs-notify-iam-webauth"
access_token = data.aws_ssm_parameter.github_pat_ssm_param_name.value

iam_service_role_arn = aws_iam_role.amplify.arn

enable_auto_branch_creation = false
enable_branch_auto_build = var.enable_amplify_branch_auto_build
platform = "WEB_COMPUTE"

auto_branch_creation_patterns = [
"*",
"*/**"
]

environment_variables = {
USER_POOL_ID = aws_cognito_user_pool.main.id
HOSTED_LOGIN_DOMAIN = aws_cognito_user_pool.main.domain
NOTIFY_GROUP = var.group
NOTIFY_ENVIRONMENT = var.environment
NOTIFY_DOMAIN_NAME = local.acct.dns_zone["name"]
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
resource "aws_amplify_domain_association" "domain" {
app_id = aws_amplify_app.main.id
domain_name = local.acct.dns_zone["name"]
enable_auto_sub_domain = false

sub_domain {
branch_name = module.amplify_branch.name
prefix = ""
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "aws_cloudwatch_log_group" "amplify" {
name = "/aws/amplify/${local.csi}"
retention_in_days = var.log_retention_in_days
kms_key_id = module.kms.key_arn
}
9 changes: 9 additions & 0 deletions infrastructure/terraform/components/iam/cognito_user_pool.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
resource "aws_cognito_user_pool" "main" {
name = local.csi

username_attributes = ["email"]

admin_create_user_config {
allow_admin_create_user_only = true
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
resource "aws_cognito_user_pool_client" "main" {
name = local.csi
user_pool_id = aws_cognito_user_pool.main.id

callback_urls = flatten([
var.cognito_user_pool_additional_callback_urls,
[
"https://${local.csi}.${var.root_domain_name}/auth/",
"https://${local.csi}.${aws_amplify_app.main.id}.amplifyapp.com/auth/"
]
])

supported_identity_providers = flatten([
var.enable_cognito_built_in_idp ? ["COGNITO"] : [],
# identity_provider_names.provider.provider_name #e.g. auth0
])

allowed_oauth_flows = ["code"]
allowed_oauth_scopes = [
"openid",
"email",
"phone",
"profile",
"aws.cognito.signin.user.admin"
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# resource "aws_cognito_user_pool_domain" "domain" {
# user_pool_id = aws_cognito_user_pool.main.id
# domain = local.acct.dns_zone["name"]
# certificate_arn = aws_acm_certificate.main.arn
# }
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
data "aws_ssm_parameter" "github_pat_ssm_param_name" {
name = local.acct.github_pat_ssm_param_name
}
Loading

0 comments on commit 42e6378

Please sign in to comment.